Thursday, 16 December 2010

They say impersonation is the sincerest form of flattery, wonder if ID theft victims believe that?

I happened across a few domains a few days ago, that piqued my interest. They piqued my interest because their Google entry appeared to be a direct copy of parts of the hpHosts site. Looking further showed that actually, they'd not copied the site - they were pointing to it in their A records. Certainly different.

The purpose of their doing this is still a mystery. SEO purposes perhaps? Maybe, but unlikely. Regardless, a small change has been made to the site to at least make it a little more difficult for them to get away with it, and further work is being planned to prevent it in future.

I've already had one of the domains, leke5.tk taken down by the registrar, and have come across a new one today that's not using the A records to point to it this time, cd-jjwghotel.com. The domains identified thus far are;

Monday, 13 December 2010

I've been involved in take down and cleanups and whatnot for longer than I care to remember now, and along the way, there's always been one constant - the refusal of some hosts/ASNs/registrars, to do their job (i.e. enforce their AUP/ToS) and take action against abuse (and in most cases, to bother replying at all). eNom for example, who for years blatantly ignored abuse and were found to be involved in a bit of it themselves, only taking action when HostExploit publicized it, now seem to have retreated back to silence, as abuse reports are once again, going unanswered and unactioned.

The most recent refusal came from NameCheap, who when informed of abuse via their customers, decided once again not to take action, but instead simply point the finger to everyone else.

There are however, some that do take these issues seriously, and it is these that I am going to focus on here.

You'll remember some time ago, I gave mention to one specific hosting company that decided they wanted the record for the quickest not only to respond, but to take action aswell. That company is FreeHostia, and as of this morning, not only still hold the record for the quickest, but beat their previous record of ~10 mins, by replying to and actioning and abuse report, in ~5 mins or so - fantastic!.

AS29873, "Endurance International Group, Inc." (aka Bizland Inc), recently suspended/cleaned over 50 sites in a single sweep, that had been compromised for use by the Blackhat SEO chaps. Has there been bigger take downs/cleanups? Absolutely - but when you consider the time frame involved, this was much much faster (approx ~11.5 hours between my sending them the report, and their response informing action had been taken). Contrast that with Surftown, who have now been sent e-mails many times both by myself, and others, and have still failed miserably to both cleanup existing compromised sites, and prevent further compromises occuring (tally as of December 3rd was 373 sites compromised in SurfTown IP space, many of which are cases reported to them months ago, such as lars.web.surftown.se).

GoDaddy also deserve a mention, after previously being amongst one of the most annoying registrars/hosts, due to their major lack of focus on dealing with and preventing, abuse. Over the past 12 months, this has changed dramatically, with the takedown of literally thousands of domains, including a couple hundred of so, owned by a single customer. One man over there, William MacArthur* (GoDaddy abuse dept), since heading the battle against the bad guys from GoDaddys side, is responsible for the complete re-write of their reputation (personally, I hope the board give him a huge raise for that - he's earned it, but I'll settle for their giving him ALOT more staff and resources, as they're quickly crawling up the Top 50 Bad Hosts list (#46 in the 3rd quarter of 2010, #34 now)).

BlueHost also deserves special mention here. Standing at #39 in the Top 50 Bad Hosts in the 3rd quarter of 2010, now dropped to #64 - a major improvement. They've consistently been improving their response times, when it comes to abuse reports. Though their recent AS description name change has me a little curious (previously the AS description was quite obviously, BlueHost Inc - now however, it's Ace Datacenters Inc (still the same company)).

DirectI, once one of the most despised registrars in the world, has over the past few years, gone in completely the opposite direction, drastically improving their reputation by severing ties (remember the RBN/EstDomains?), and putting a major focus on taking down malicious domains (and doing such very quickly), and is now amongst my list of the best registrars to deal with.

Not a complete list by any means, but a list of the best and most improved so far. Hopefully we'll see more improvements from other companies.

Edit 21-12-2010 21:23

I've edited the article to include Williams name, and it turns out he's not actually in charge of the abuse dept (though in my opinion, he certainly should be), so I've removed reference to that

A well-placed Chinese security official has been given a suspended death sentence for taking bribes in exchange for his role in an antivirus software fraud scheme.

Yu Bing, former director of the Internet monitoring department of Beijing’s Public Security Bureau, had his agency send out a “virus warning” telling the public to download software from the company Rising Antivirus, to combat a particular computer virus.

But that virus was itself devised by Rising Antivirus, who bribed Yu to send out an email to drum up business, according to a Dec. 2 First Financial Daily report.

The case is an example of how corrupt Communist Party officials work hand in glove with private companies to help the latter gain an unfair market advantage, then receive kickbacks for the trouble.

The fact that Chinese software companies create the viruses they fight is an open secret in the industry, and something attested to by Yu. It’s also a sound moneymaking strategy and makes good business sense, according to industry insiders interviewed by Chinese media.

Tuesday, 9 November 2010

I've got an update on SurfTown coming shortly (still not cleaned their network!!), but in the meantime, a look at what was reported to me as a spammer site, using the same well known fake news site layout, is sending people to SmileyCentral when you click their links - nice to know IAC are still not trying to put a stop to this .... (though perhaps not surprising).

The IP used to house newmovieswatchnow.com (now hosted by NetDirekt (AS28753) at 217.20.116.177), which sends you either to one of those familiar "survey" (scam) sites at mediaboxrussia.com (109.236.82.121, AS49981 109.236.80.0/20 WORLDSTREAM WorldStream), or to flvpro.com (174.137.179.7 PTR: tigertango.com, AS36057 174.137.176.0/22 WEBAIR-AMS Webair Internet Development Inc), depending on which link you click ("Download" or "Watch Online Now").

Sunday, 7 November 2010

Oh joy. As if BT hadn't made things horrid to begin with, with outages sporadically over the past few weeks, it seems something has gone awry again today.

Unfortunately, whilst the primary hpHosts server seems to be working, the rest are not, nor is the mail server (has a motherboard issue). I've done what I can from here, but won't actually have direct access to the servers until later this morning.

Friday, 5 November 2010

Recent reports from various sources in the security industry show that a large takedown of servers associated with the “Bredolab” trojan occurred within the past few weeks. While most of the reports have focused around the idea that this infrastructure was solely related to the command and control of Bredolab, our research shows that these servers were used as an all-purpose hosting infrastructure for criminal activity.

This criminal system came to our attention in July 2010, when NetWitness analysts were asked to investigate a hacked wordpress blog.

We found that the following obfuscated script had been injected into all .html and php pages on the site:

Saturday, 30 October 2010

Alot has been publicized regarding malicious hosts, both by myself and many others. Of course, in the cybercrime world, along with campaigns to infect you, the criminals are also fighting with each other, to out-do each other.

ASs such as AlfaHost (AS50793), Ecatel (AS29073), GlobalNET (AS42560), VLineTelecom (AS39150), ALTNET-LV (AS41390), Akrino Inc (AS44571), VolgaHost (Bondarenko Dmitriy Vladimirovich, AS29106), to name but a few, are all top of the leader board of the most active rogue, malware/exploit and botnet C&C servers for example (excluding compromised sites). However, the biggest problem with these ASs isn't actually the ASs themselves - the biggest problem is Ripe, the registry that leases the IP ranges to these criminals.

Taking down an entire AS is no mean feat, but is something Ripe could do in an instant. Quite why they're letting this continue is puzzling - but the likely reason is money.

To take GlobalNet as just one example, these are by far one of the most active for the distribution of fake scanner websites and the payload servers for fake AVs. They're not even exactly trying to hide this. For example, pick any IP on 77.78.203.0/24 or 77.78.201.0/24, just two of their ranges (not the only ones with malicous content by any stretch, but they are the most active of the lot) - and you'll find a rogue living there. All they're doing is moving it to the next IP in the range periodically. Ripe could quite easily put a stop to this instantly, so why aren't they?

Just a small example of maliciousness that's been seen at GlobalNet includes;

AlphaHost and VolgaHost, just two ASs that are 100% malicious, could quite easily be taken offline if Ripe revoked their ranges, making things alot easier for the public (albeit in the short term, until they found another range), so why aren't they?

I've tried asking Ripe this question myself, but questions have gone ignored, so evidently it's going to take someone with a lot more influence than myself to get them to explain themselves.

/update

It should be noted, as I didn't make it clear, Ripe aren't the only registry that issue IP ranges, there's a few others such as Arin, they just happen to be the associated registry in this case.